Readers, do you know what the following things have in common?
- A financial tech news site
- Several New England daily newspapers
- A promoter of technology awards
- And, until a few weeks ago, a well-known jeweler’s ecommerce site and a major player in ecommerce
Can anybody hazard a guess??
The answer: none of these sites were considered secure by Google Chrome, which is not exactly good for business.
Example “Not secure” site in Chrome v69. Source: badssl.com
It will definitely result in frustrated, unhappy customers, when Google flags your site. Considering the vast majority of people use Chrome to surf the web (around 60%, according to recent estimates), I am pretty certain anyone running a business would rather avoid this scenario altogether.
Truth be told, at this very moment there are perhaps hundreds of thousands of sites that are labeled as ‘not secure’. So, what’s going on here? Why are so many sites being flagged?
Beginning with Chrome v68, all sites without HTTPS are marked ‘not secure’
Google has been focused on getting the entire web encrypted through SSL/TLS (the technology behind HTTPS) for several years. In the past, sites using SSL were marked as ‘secure’, but with Chrome 68’s release, Google flipped the script. Now sites that don’t use SSL will be flagged as ‘not secure’.
This change was implemented in July. Later this month, more change will be coming when Chrome 70 is launched. At that stage, the browser will display a red ‘not secure’ label if a user starts to enter information (e.g., username/password, financial details, basically any type of form fill-in) on a non-HTTPS site. This will hopefully draw even more attention to the fact that the information the user is about to submit will not be encrypted and is therefore susceptible to interception or eavesdropping.
HTTPS is a more secure version of HTTP. It helps prevent intruders from tampering with the communications between your websites and your users’ browsers. It also makes it more difficult for eavesdroppers to snoop on what information is sent between browser and server. Your sites, and visitors using your site, are also kept secure from third parties, who might inject ads that create security vulnerabilities, or intruders that exploit a site’s images, cookies, scripts, etc. (e.g., to inject malware or other nasty stuff).
While the security benefits are obvious, clearly many sites are still dragging their feet on converting their sites to HTTPS. We hope the recent browser changes from Google will be the reality check site operators need to finally make the move. It will take some planning and effort, however, this is a critical step unless you do not want to see a massive drop in site visitors.
How to Install HTTPS on Your Site
Although it’s not terribly expensive or difficult to convert a site to HTTPS, it of course does require some effort. There are four key steps:
- Obtain an SSL/TLS Certificate from your preferred vendor; if you’re using a hosting company, they might have a list of suggestions. Check out our step-by-step process for what type of certificate you might need: https://www.globalsign.com/en/company/blog/articles/guide-to-choosing-an-ssl-certificate/. We also have guides for generating CSRs (part of the ordering process) here - https://support.globalsign.com/customer/en/portal/articles/1229769-certificate-signing-request-csr---overview.
- Install your certificate. Check out our installation instructions for a number of server types here - https://support.globalsign.com/customer/en/portal/articles/1309527-install-an-ssl-certificate---overview.
- Once your certificate is installed, check your server configuration to make sure you are using the right, up-to-date settings. You can use our free tool here - https://globalsign.ssllabs.com/
- Once your site’s conversion process is complete, be sure to notify Google. This is another vital step that will initiate a re-indexing of your site in Google’s search database. Google outlines this process and has additional tips for implementing SSL here - https://support.google.com/webmasters/answer/6073543?hl=en.
Important – Make sure your site is being served over HTTPS!
A critical part of the transition to HTTPS is making sure you have the correct server-side 301 redirects in place to redirect users and search engines to the HTTPS version. We’ve actually noticed this a lot lately – sites who haven’t set this up properly so users are still being sent to the HTTP versions and seeing the ‘not secure’ flag. If you manually type in HTTPS at the beginning of the address, you can see that the site uses SSL, but it is very unlikely a user will even know to try this, so your best bet is to have your whole site redirected to HTTPS.
You will also want to ensure that every page on your site is secured with SSL, not just the pages that collect personal or payment information.
You may also want to consider implementing HSTS (HTTP Strict Transport Security), which forces all connections over HTTPS, even if a user manually types in HTTP. HSTS helps prevent a type of attack known as “SSL stripping”, a type of man-in-the-middle attack which allows hackers to intercept content intended for an HTTPS connection, and also eliminates the option for users to click-through certificate warnings. With HSTS, users can only connect to the site if there is a valid, trusted certificate; all other connections are blocked, without the option to click-through.
For more on HSTS and instructions for how to implement, check out our dedicated article – What Is HSTS and How Do I Implement It?
Don’t get flagged by Google. Switch to HTTPS today!
Ultimately, converting your site to HTTPS will make it more secure, leading to customers who will stick around instead of fleeing to other sites.
For more details on implementing SSL/TLS and converting your site, this prior blog post is chock full of information and helpful tips. And, of course, if you have more specific questions about your set-up, please don’t hesitate to contact us.